AppSec in the Clouds: An evening with Cloud Native and Serverless

Organizer: OWASP Triangle Chapter
Click here for registration info

This month we are joined by two cloud security practitioners (Shaun from SAS and Ranga from Cisco), each delivering a talk about the intersection of Cloud and Security.

NOTE: First talk begins at 6:45, so grab your pizza and a seat.

Talk #1: Cloud Native for Speed & Security

Software development continues to shift towards container based micro-services, and multi-tenant cloud-native platforms like Kubernetes and Cloud Foundry are fast becoming the runtime of choice. This architectural shift has numerous security implications including patch management, secret handling, network segmentation, security testing, and how best to apply application security controls. Instead of releasing a new version of a monolithic application every few months, development teams are continuously delivering microservices to production in agile fashion. With security personnel typically making up a small percentage of IT staff, how is a security team supposed to keep up?

Enter DevSecOps where developers are empowered to perform security tasks themselves with guardrails and not roadblocks. Using a continuous integration tool, developers can: wrap a microservice with an API Gateway, bind a secret from a password vault to their cloud-native app, and kick off security tests. A WhiteHat Security study found that critical vulnerabilities take 129 days to fix on average, so DevOps teams need a way to get faster feedback about the security of their applications as well as options for quickly applying mitigations. During the presentation, I will show how to leverage features of the cloud platform’s orchestration engine as well as an API gateway to prevent OWASP Top 10 vulnerabilities. Also, I will share container security best practices, and speak to the features in the cloud native platform to segment tenants both from a network and resource perspective. I will wrap up with my lessons learned from deputizing and educating security champions for adopting DevSecOps. Shaun Lamb works as an IT Security Architect at SAS Institute where he focuses on application security. With a background in web application development, he strives to design solutions that make it easy for developers and administrators to apply security controls.

Talk #2: Securing the Serverless workloads in Cloud Serverless computing is one of the most rapidly growing cloud model to develop and run applications. Just as cloud computing took away the need to manage physical data centers, with serverless computing the concept of running/managing a server is going away. This lets the DevOps teams focus on writing the application code. Amazon started the first public cloud serverless computing service with "AWS Lambda" followed by "Google and Azure Functions". Gartner calls it as one of top[masked] technology trends as part of the "Mesh App and Service Architecture" The serverless trend makes the security practitioners think and apply the controls differently. It shifts the security focus a lot closer to the application. In this talk security architects from Cisco's Infosec team will share the how they have helped various Cisco teams across the globe to help build serverless applications securely on various cloud providers like AWS, Azure. It will cover security architectural principles and best practices for Serverless computing and go through various case studies and demos. Bio: Ranga Vangara is a Technical Leader in Cisco System's Security and Trust Organization (InfoSec). He holds CISSP, CCSP, CSSLP, and GPEN certified Software Engineer/architect with extensive experience in software product and infrastructure software design and development. Equally experienced in security-related fields like PKI, product security and proficient at working with industry standards and product architectural issues. Currently, product owner of Continuous Security Buddy, an AWS InfoSec audit tool that leverages serverless technology extensively.


Poster: triangletech